Solved: AAA authorization problem

spanglenuts · ‎07-17-2008

I have the following config on my switch...

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login CONSOLE line

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 10 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

The problem is that when I log into the switch via console port, and I enter these commands in, I instantly get "Command Authorization Failed" on any commands there after. It's mind boggling because there is no possible way the switch is talking to my Cisco ACS. I didn't even put in the tacacs-server key. I'm being forced to reboot the box each time. What am I missing?

Thank you for your time. I'm using IOS Version 12.2(25)SEB4.

-Andrew

chaitu_kranthi · ‎07-17-2008

Hi

Before doing the tacacs configuration create one local user.

add the following commands.

username cisco password cisco

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

tacacs-server host x.x.x.x

tacacs-server key ........

please score me if it help to you

View solution in original post

chaitu_kranthi · ‎07-17-2008

As per my concern those commands are enough.

View solution in original post

Jagdeep Gambhir · ‎07-18-2008

Andrew,

What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.

To enable it we need to use a hidden command on IOS aaa authorization console

It seems that you have not issued that command but still it is checking for the authorization.

This seems that we are hitting a bug here. Please check these bug CSCeb08860 & CSCsg74428.

Pls consider upgrade or apply a work around described in bug.

Regards,

~JG

View solution in original post

chaitu_kranthi · ‎07-17-2008

Hi

Before doing the tacacs configuration create one local user.

add the following commands.

username cisco password cisco

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

tacacs-server host x.x.x.x

tacacs-server key ........

please score me if it help to you

spanglenuts · ‎07-17-2008

Just so I'm clear, After I create a user account, should I only do the commands that you listed, or can I do all of my commands?

I'll make sure to score ya.

Thanks,

Andrew

chaitu_kranthi · ‎07-17-2008

As per my concern those commands are enough.

Jagdeep Gambhir · ‎07-18-2008

Andrew,

What you are getting is not a expected behavior. By default Command authorization is disabled on console port, so from console session it should not check for any authorization.

To enable it we need to use a hidden command on IOS aaa authorization console

It seems that you have not issued that command but still it is checking for the authorization.

This seems that we are hitting a bug here. Please check these bug CSCeb08860 & CSCsg74428.

Pls consider upgrade or apply a work around described in bug.

Regards,

~JG